Abstract
In this paper, we give a location privacypreserving solution for the mobile crowd sensing (MCS) system. The solution makes use of the blind signature technique for anonymous authentication and allows a mobile user to participate in the MCS for certain times set in the registration. Furthermore, we introduce a concept of anonymous reputation for mobile users on the basis of the blind signature technique as well. An anonymous reputation can be referred by the MCS platform when assigning tasks to a mobile user and can be upgraded or downgraded by the MCS platform, depending on the quality of reports submitted by the mobile user. For the security analysis, we provide security proofs for our solution on the basis of our formal definitions for anonymity, unlinkability and unforgeability for MCS. The performance analysis and experiments have shown that our solution is more efficient than existing solutions for MCS based on the blind signature technique.
Keywords
 Mobile crowd sensing
 Location privacy protection
 Anonymity
 Blind signature
 Reputation
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
 2.
Note that we will use Server to denote our MCS platform when focusing our comparisons on registration and authentication.
 3.
 4.
References
Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851
Bellavista, P., Corradi, A., Foschini, L., Ianniello, R.: Scalable and costeffective assignment of mobile crowdsensing tasks based on profiling trends and prediction: the participact living lab experience. Sensors 15(8), 18613–18640 (2015)
Blanton, M.: Online subscriptions with anonymous access. In: Proceedings of ASIACCS 2008, pp. 217–227 (2008)
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). https://doi.org/10.1007/3540455396_31
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of 11th ACM Conference on Computer and Communication Security, pp. 132–145 (2004)
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252
Chan, A., Frankel, Y., Tsiounis, Y.: Easy come — easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054154
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/9781475706024_18
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3540464166_22
Christin, D.: Privacy in mobile participatory sensing: current trends and future challenges. J. Syst. Softw. 116, 57–68 (2016)
Cormode, G., Procopiuc, C., Srivastava, D., Shen, E., Yu, T.: Differentially private spatial decompositions. In: Proceedings of ICDE 2012, pp. 20–31 (2012)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES  The Advanced Encryption Standard. Springer, Berlin (2002). https://doi.org/10.1007/9783662047224
Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_1
Ganti, R.K., Ye, F., Lei, H.: Mobile crowdsensing: current state and future challenges. IEEE Commun. Mag. 49(11), 32–39 (2011)
Guo, B., Calabrese, F., Miluzzo, E., Musolesi, M.: Mobile crowd sensing: part 1. IEEE Commun. Mag. 52(8), 20–21 (2014)
Guo, B., Calabrese, F., Miluzzo, E., Musolesi, M.: Mobile crowd sensing: part 2. IEEE Commun. Mag. 52(10), 76–77 (2014)
Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052233
Kantarci, B., Glasser, P.M., Foschini, L.: Crowdsensing with social networkaided collaborative trust scores. In: Proceedings of IEEE Global Communication Conference (GLOBECOM), pp. 1–6 (2015)
Kantarci, B., Carr, K.G., Pearsall, C.D.: SONATA: social network assisted trustworthiness assurance in smart city crowdsensing. Int. J. Distrib. Syst. Technol. 7(1), 59–78 (2016)
Kapadia, A., Triandopoulos, N., Cornelius, C., Peebles, D., Kotz, D.: AnonySense: opportunistic and privacypreserving context collection. In: Proceedings of 6th International Conference on Mobile System, Applications and Services (MobiSys), pp. 280–297 (2008)
Konidala, D.M., Deng, R.H., Li, Y., Lau, H.C., Fienberg, S.E.: Anonymous authentication of visitors for mobile crowd sensing at amusement parks. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 174–188. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642380334_13
Lynn, B.: On the implementation of pairingbased cryptosystems. Stanford University (2007)
Navas, J.C., Imielinski, T.: GeoCast  geographic addressing and routing. In: Proceedings of ACM International Conference on Mobile Computing and Networking, pp. 66–76 (1997)
Pouryazdan, M., Kantarci, B., Soyata, T., Song, H.: Anchorassisted and votebased trustworthiness assurance in smart city crowdsensing. IEEE Access 4, 529–541 (2016)
Pouryazdan, M., Kantarci, B., Soyata, T., Foschini, L., Song, H.: Quantifying user reputation scores, data trustworthiness, and user incentives in mobile crowdsensing. IEEE Access 5, 1382–1397 (2017)
Ramzan, Z., Ruhl, M.: Protocols for anonymous subscription services (2000). (Unpublished Manuscript)
Ren, J., Zhang, Y., Zhang, K., Shen, X.S.: SACRM: social aware crowdsourcing with reputation management in mobile sensing. Comput. Commun. 65, 55–65 (2015)
Shina, M., Cornelius, C., Peebles, D., Kapadia, A., Kotz, D., Triandopoulos, N.: AnonySense: a system for anonymous opportunistic sensing. Pervasive Mobile Comput. 7, 16–30 (2011)
Sweeney, L.: kanonymity: a model for protecting privacy. Int. J. Uncertainty Fuzziness Knowl.Based Syst. 10, 557–570 (2002)
To, H., Ghinita, G., Shahabi, C.: A framework for protecting worker location privacy in spatial crowdsourcing. In: Proceedings of VLDB 2014, pp. 919–930 (2014)
VergaraLaurens, I.J., Jaimes, L.G., Labrador, M.A.: Privacypreserving mechanisms for crowdsensing: survey and research challenges. IEEE IoT J. 4(4), 855–869 (2017)
Wang, X., Liu, Z., Tian, X., Gan, X., Guan, Y., Wang, X.: Incentivizing crowdsensing with locationprivacy preserving. IEEE Trans. Wirel. Commun. 16(10), 6940–6952 (2017)
Acknowledgements
This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore under its Strategic Capability Research Centres Funding Initiative, and Australian Research Council (ARC) Discovery Projects DP160100913 & DP180103251.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Security Analysis
Appendix: Security Analysis
The proposed LPP protocol is based on the blind signature scheme. According to [17], a blind digital signature scheme is secure if for all probabilistic polynomialtime (PPT) algorithms \(\mathcal {A}\), the following two considerations hold.
Blindness Property: Let b is a random bit which is kept secret from \(\mathcal {A}\). \(\mathcal {A}\) executes the following experiment (where \(\mathcal {A}\) controls the signer, but not the user, and tries to predict b):

Step 1: \((pk,sk)\leftarrow \mathsf {Gen}(1^k)\)

Step 2: \((m_0, m_1)\leftarrow \mathcal {A}(1^k,pk,sk)\) (i.e. \(\mathcal {A}\) produces two documents, where (\(m_0, m_1\)) are by convention lexicographically ordered and may even depend on pk and sk).

Step 3: We denote by (\(m_b, m_{1b}\)) the same two documents (\(m_0, m_1\)), ordered according to the value of bit b, where the value of b is hidden from \(\mathcal {A}\). \(\mathcal {A}(1^k,pk,sk,m_0, m_1)\) engages in two parallel (and arbitrarily interleaved) interactive protocols, the first with \(User(pk,m_b)\) and the second with \(User(pk,m_{1b})\).

Step 4: If the first user outputs on his private tape \(\sigma (m_b)\) (i.e., does not output fail) and the second user outputs on his private tape \(\sigma (m_{1b})\) (i.e., also does not output fail) then \(\mathcal {A}\) is given as an additional input (\(\sigma (m_b), \sigma (m_{1b})\)) ordered according to the corresponding (\(m_0, m_1\)) order. (We remark that we do not insist that this happens, and either one or both users may output fail).

Step 5: \(\mathcal {A}\) outputs a bit \(b'\) (given his view of steps 1 through 3, and if conditions are satisfied, of step 4 as well).
Then the probability, taken over the choice of b, over coinflips of keygeneration algorithm, the coinflips of \(\mathcal {A}\), and (private) coinflips of both users (from step 3), \(b'=b\) is negligibly close to 1/2.
Unforgeability Property: \(\mathcal {A}\) executes the following experiment (where \(\mathcal {A}\) controls the user, but not the signer, and tries to get one more signature):

Step 1: \((pk,sk)\leftarrow \mathsf {Gen}(1^k)\)

Step 2: \(\mathcal {A}(pk)\) engages in polynomially many (in k) adaptive, parallel and arbitrarily interleaved interactive protocols with polynomially many copies of \(\mathsf {Signer}(pk, sk)\), where \(\mathcal {A}\) decides in an adaptive fashion when to stop. Let \(\ell \) denote the number of executions, where the signer outputted completed in the end of Step 2.

Step 3: \(\mathcal {A}\) outputs a collection \(\{(m_1, \sigma (m_1)), (m_2, \sigma (m_2)),\cdots , (m_j,\sigma (m_j))\) subject to the constraint the all (\(m_i, \sigma (m_i)\)) for \(1\le i\le j\) are all accepted by \(\mathsf {Verify}(pk, m_i, \sigma (m_i))\).
Then the probability, taken over coinflips of key  generation algorithm, the coin flips of \(\mathcal {A}\), and over the (private) coinflips of the Signer, that \(j >\ell \) is negligible.
For the following security analysis, we make an assumption, which can reasonably be expected to hold in practice. We assume that on average the users have the same total access times (i.e., during the registration, n is the same for every user), and access the MCS system with the same frequency. This implies that at every given point in time, there will be a similar number of users that have each possible remaining access times (i.e., \(\ell \)). In other words, the number of remaining access times for a user is equally likely to be any number between 1 and n (i.e., \(1\le \ell \le n\)).
In addition, we assume the Chaum’s blind signature scheme [8] is secure in terms of blindness and forgeablility.
During MCS, the platform learns one thing. He sees the anonymous certificates and anonymous reputations, i.e., the blind signatures, used in MCS. We claim that the MCS platform learns nothing from the blind signatures themselves, and only the number of the participation of the mobile user and the reputation level of the mobile user in MCS.
At first, let us analyse the anonymity of the proposed protocol with a game according to Definition 1 in Sect. 2. For this security analysis, we assume that the MCS platform is malicious and tries to identify the mobile user.
Given two mobile users \(U_0\) and \(U_1\), assume that the MCS platform runs the registration protocol with them, respectively, to issue blind signatures to them for anonymous authentication.
Let us choose a bit b randomly.
In the authentication phase, the mobile user \(U_b\) submits the authentication request \(\{MCS, D_b,E_{k_b}(MCS,(\ell _b,m_b, C_{a,b}),A_{a,b}')\}\) to the platform. The platform can derive the secret key \(k_b\) from \(D_b\) with its private key \(d_a\) and perform decryption to obtain the anonymous certificate \(\{\ell _b,m_b,C_{a,b}\}\). Due to the blindness property of the Chaum’s blind signature, the platform cannot tell if the blind signature is from the mobile user \(U_0\) or \(U_1\).
In the task assignment phase, the mobile user \(U_b\) submits to the MCS platform a task request \(\{MCS,D_b, E_{k_b}(MCS, (\lambda _b, M_b, C_{r,b}),A_{r,b}', T_b)\}\). With \(k_b\) corresponding to \(D_b\), the platform performs decryption to obtain the anonymous reputation \(\{\lambda _b, M_b, C_{r,b}\}\). Due to the blindness property of the Chaum’s blind signature, the MCS platform cannot tell if the blind signature is from the mobile user \(U_0\) or \(U_1\).
In the report and reward phase, the mobile user does not submit any blind signature to the MCS platform. The MCS platform has no way to distinguish the mobile users in this phase.
Based on the above security analysis, according to Definition 1 for anonymity, we conclude that
Theorem 1
The proposed LPP protocol has anonymity if the Chaum’s blind signature has blindness.
Next, let us analyse the unlinkability of the proposed protocol with a game.
Given two mobile users \(U_0\) and \(U_1\), assume that the platform runs the protocol with \(U_0\) and \(U_1\), respectively, and keeps two anonymous certificates and two anonymous reputations: \(\{\ell _0, m_0,C_{a,0}\}\) and \(\{\ell _0, M_0,C_{a,0}\}\) from \(U_0\), \(\{\ell _1, m_1, C_{a,1}\}\) and \(\{\ell _1, M_1,C_{a,1}\}\) from \(U_1\).
Next, let us choose a bit b randomly. User \(U_b\) runs the protocol with the MCS platform again and provides the MCS platform with anonymous certificate and anonymous reputation: \(\{\ell _b', m_b',C_{a,b}'\}\) and \(\{\ell _b', M_b',C_{a,b}'\}\).
Due to the blindness property of the Chaum’s blind signature, the MCS platform cannot tell if the blind signatures \(\{\ell _b', m_b',C_{a,b}'\}\) and \(\{\ell _b', M_b',C_{a,b}'\}\) are from the mobile user \(U_0\) or \(U_1\). Based on the above analysis, according to Definition 2 for unlinkability, we conclude that
Theorem 2
The proposed LPP protocol has unlinkability if the Chaum’s blind signature has blindness.
At last, let us analyse the unforgeability of the proposed protocol with a game.
For this analysis, we assume a group of mobile users are malicious. For simplicity, we consider anonymous certificates only at first and then we can easily extend the security analysis for anonymous reputation, because both of them are blind signatures anyway.
In the proposed LPP protocol, a valid anonymous certificate takes the form of \(\{\ell , m,C=H(MCS, m)^{(2\ell +1)^{1}d_a}\}\) for \(\ell =1,2,\cdots \). Assume that the adversary is given t valid anonymous certificates \(\{\ell _i, m_i,C_i\}\) for \(i=1,2,\cdots ,t\), if the adversary can generate a new anonymous certificate, which is different from the given t anonymous certificates, he wins the game.
In the given t valid anonymous certificates, if \(\ell _1=\ell _2=\cdots =\ell _t=\ell \), the adversary cannot forge any more new anonymous certificate because the Chaum’s blind signature for the public key \((2\ell +1)e_a\) has unforgeability.
In the given t valid anonymous certificates, if we group certificates on the basis of the public key \((2\ell +1)e_a\), the adversary cannot forge any more new certificate in any group with the same public key because the Chaum’s blind signature for the public key \((2\ell +1)e_a\) has unforgeability.
Now let us consider the possibility of forging a new anonymous certificate across the groups, i.e., how to forge a new anonymous certificate \(\{\ell ', m',C'=H(MCS, m')^{(2\ell '+1)^{1}d_a}\}\) with two anonymous certificates \(\{\ell _1,m_1,C_1\}\) such that \(C_1=H(MCS, m_1)^{(2\ell _1+1)^{1}d_a}(mod~N)\) and \(\{\ell _2, m_2,C_2\}\) such that \(C_2=H(MCS, m_2)^{(2\ell _2+1)^{1}d_a}(mod~N)\), where \(\ell _1\not =\ell _2\).
Because the hash function H is collisionresistant, from \(H(MCS,m_1)^{(2\ell _1+1)^{1}d}\) and \(H(MCS, m_2)^{(2\ell _2+1)^{1}d}\), it is hard to forge a new anonymous certificate (\(\ell ',m',C'\)) as follows.

\(C'=H(MCS, m_1)^{(2\ell '+1)^{1}d_a}(mod~N)\) for some \(\ell '\), such that \(\ell '\not =\ell _1\).

\(C'=H(MCS,m_2)^{(2\ell '+1)^{1}d_a}(mod~N)\) for some \(\ell '\), such that \(\ell '\not =\ell _2\).

\(C'=H(MCS,m')^{(2\ell '+1)^{1}d_a}(mod~N)\) for some \(\ell '\), such that \(m'\not =m_1\) and \(m'\not =m_2\).
In view of this, we conclude that
Theorem 3
The proposed LPP protocol has unforgeability if the Chaum’s blind signature has unforgeability and the hash function H is collisionresistant.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Yi, X., Lam, KY., Bertino, E., Rao, FY. (2019). Location PrivacyPreserving Mobile Crowd Sensing with Anonymous Reputation. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/9783030299620_19
Download citation
DOI: https://doi.org/10.1007/9783030299620_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030299613
Online ISBN: 9783030299620
eBook Packages: Computer ScienceComputer Science (R0)